Threat behavior
Backdoor:Win32/Nuwar.gen!D is a generic detection for a backdoor trojan that allows unauthorized access to an infected computer. The trojan receives commands indirectly from a remote attacker via its connection to a malicious peer-to-peer network. This trojan also contains advanced stealth functionality that allows it to hide particular files, registry entries and registry values.
Installation
When executed, Backdoor:Win32/Nuwar.gen!D creates a configuration file and a copy of itself as the following files:
%windir%\<filename>.config - configuration data file, Backdoor:Win32/Nuwar.B!ini
%windir%\<filename>.exe - Backdoor:Win32/Nuwar.gen!D
The configuration data file created contains a list of peers to connect to initially (see 'Backdoor Functionality' section below for further detail).
NOTE: <filename> is a variant specific name.
The registry is modified to execute Backdoor:Win32/Nuwar.gen!D at each Windows start, for example:
Adds value: “farkrish”
With data: "%windir%\farkrish.exe"
To subkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It makes a further modification in the registry to allow itself to bypass the Windows firewall, for example:
Add value: "%windir%\farkrish.exe"
with data= "%windir%\farkrish.exe:*:enabled:enable"
To sub key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Payload
Backdoor Functionality
Backdoor:Win32/Nuwar.gen!D attempts to join a P2P network, where directives can be exchanged between like peers. Once connected to the network, active peers can be instructed to download and execute arbitrary files.
Additional Information
Listed below are some of the filenames associated with this threat:
123.exe
aromis.exe
farkrish.exe
foolsday.exe
found.exe
funny.exe
kavir.exe
kickme.exe
load.exe
shift.exe
StormCodec.exe
Analysis by Chun Feng
Prevention
